Stamper: A PGP-Based Time Stamping Service

Stamper is an email-based system that provides secure, digital corroboration of timestamping of messages and documents.

Early in 1995 I was looking for an automatic digital timestamping service which could be used to corroborate the date at which I had signed a document with PGP. At that point I could only find one commercial service and that used proprietary software.

I therefore resolved to setup such a service which would be free of charge to users. I wanted to use PGP as the signing software and provide the service by Internet email, which was at the time by far the most common form of connection to the Internet.

 

DiskCryptor – Open Source Whole Disk Encryption for Windows

Bruce Sterling has said he’s been using Symantec’s Endpoint Encryption software for full disk encryption ever since the demise of TrueCrypt. I used Symantec’s product — which is really just a commercialization of PGP — many years ago before TrueCrypt became so popular. It worked well and I’m sure it is still a great solution IF you can afford the $85/workstation license.

So instead, I’ve been using the open source DiskCryptor for all of my whole disk encryption needs for Windows.So far I haven’t had any issues with it and from what I can tell it is a least as secure as TrueCrypt was (i.e., it’s likely to stymie local cops, but state actors have many ways to obtain passphrases if they want to devote sufficient resources — not sure they’re likely to do so for my porn collection, however).

 

 

 

Amazon Glacier

Amazon Glacier is the cheaper, slower cousin to Amazon’s S3 storage. Whereas S3 currently costs US$0.095 per gigabyte per month, Glacier is a mere US$0.01 per gigabyte per month.

The tradeoff for the lower cost is that Glacier is effectively offline storage. If you want to download the data you have stored, you have to request that Glacier retrieve the data and make it available for download, and fulfilling that requests “typically” takes 3-5 hours according to Amazon.

Since the expectation is that Glacier data will only be accessed infrequently, there is also a US$0.12 per gigabyte charge to download more than a nominal 1 gigabyte per month.

So, storing 1 terabyte of data with Glacier will cost you roughly $10/month, but if you ever want to download it all in a month, that would run you $120.

Where something like Glacier shines is in long-term backups. For example, I have a 3 terabyte drive that stores all of my personal data. I have a couple of extra hard disks that I use to create local backups and store at various locations.

I used to use Amazon’s S3 as an online backup repository, but as I got closer to having 1 terabyte stored there, the cost became prohibitive and I ended up deleting it. But using something like Glacier, I could store 3 terabytes online for $30/month. The limitations on accessing the data really don’t concern me, since what I’m looking for is an offsite repository to store my data in case I experience a catastrophic failure with my local backups.

There are just two challenges: uploading the data to Glacier and protecting it adequately.

I’m primarily a Windows users, and have had a lot of success with FastGlacier, a freeware Windows tool designed to make it easier to upload data to Glacier and keep Glacier and local data in sync.

Glacier has a number of complications that S3 does not, and a program like FastGlacier helps smooth out some of the rough edges for those of us who just want to get our data into Glacier.

Protecting that data is another matter. Amazon encrypts the data that is uploaded to Glacier, but it is encrypted in a way that Amazon itself can decrypt. So if Amazon were hacked, for example, there is the potential that the keys to unlocking any data stored on Glacier (or S3) could be compromised.

It is absolutely crucial that any data intended for long-term storage be encrypted client-side by the person doing the uploading. Again, since I am primarily a Windows user I use the open source Gpg4Win to encrypt all of my files before I upload them to Glacier. Gpg4Win adds a GpgEX option in the file manager’s context menu so that it is relatively easy to encrypt specific files or entire directories.

MonkeySphere – Using OpenPGP to Route Around Broken Web Security Model

The Monkeysphere Project is a project to use OpenPGP to securely identify servers in web browsers and elsewhere that routes around the growing potential problems with certificate authentication. As The Monkeysphere website sums it up,

Everyone who has used a web browser has been interrupted by the “Are you sure you want to connect?” warning message, which occurs when the browser finds the site’s certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.

. . .

When you direct the browser to an https site using the Monkeysphere plugin and validation agent, if the certificate presented by the site does not pass the default browser validation (using standard, hierarchical X.509), the certificate and site URL are passed to the validation agent. The agent then checks the public keyservers for keys with UIDs matching the site url (e.g. https://zimmermann.mayfirst.org). If there is a trust path to that key, according to your own OpenPGP trust designations, the certficate is considered valid, and a browser ‘security exception’ is put in place to allow connections to the site.

Don’t Leave Your Draft Designs Laying Around Web

I am a big fan of encrypting my laptop’s hard drive, and typically use PGP Whole Disk Encryption product for that purpose. So yesterday I installed the 30-day trial, encrypted the drive, and ran it through its paces. As usual, WDE impresses me for its speed and unobtrusiveness.

But paying for  it — that’s a whole other ball of wax. So I open up PGP, go to the “Buy a License” setting, and end up at their online store. Put in my credit card and other details and hit submit.

Uh oh — server error message. But there’s a helpful mailto link that suggests I send a notice to the web master to resolve the problem. So I click on the link, draft a quick “I’m just trying to register PGP WDE” and hit send.

And, of course, it bounces back. The interesting thing, though, is the e-mail address is clearly a dummy filler address that the web designer put in with the intent of adding a real address later . . . in fact the designer helpfully named the placeholder e-mail address:

changeme@pgp.com

Except, of course, it looks like no one ever bothered to go in and change changeme@pgp.com

Sigh. I’ll try again tomorrow.

Serious Google Calendar Encryption with GnuPGP

IBM’s Nathan Harrington has written an article outlining how to use the GnuPGP Firefox extension to create encrypted events within Google Calendar. This isn’t just accessing Google Calendar securely, but rather encrypting event details locally before passing that text on to Google Calendar. Anyone who compromises your Google account then would know the time of events, but would only see encrypted text for the actual event detail as in the example below,

That is frackin’ awesome. Now if there were only a GnuPGP plugin for my Blackberry calendar so I could sync the events meaningfully.